PIONIER-CERT will assist the system administrators in handling the technical and organisational aspects of incidents. The overall process of incident response can be divided into three main stages: incident triage, incident co-ordination and incident resolution.
The main goals of incident triage is to investigate if the reported security incident actually occurred, determine its extent and severity (including potential impact on the constituency) and verify if a given occurrence can be considered as incident according to CSIRT policies. At this point some preliminary information preprocessing in the context of further incident management is performed. The incident report to be accepted by the PIONIER-CERT must contain all necessary information as specified in incidents reporting guidelines. If it is possible, all incidents should be reported using e-mail or fax number with the provided application forms. According to policies of Team, besides the specific cases (such as a vulnerability report), no anonymous incident report will be accepted. The incident report should be considered accepted after receiving a signed confirmation.
The main goal of PIONIER-CERT is to provide a complex co-ordination of all responses to a security incident (incident co-ordination) with particular emphasis on exchanging information between various interested parties. According to such approach, several specific tasks can be distinguished:
- determining the initial cause of the incident (exploited vulnerability),
- facilitating contact with other sites which may be involved,
- facilitating contact with appropriate security teams and/or law enforcement officials if necessary,
- making reports to other CSIRTs,
- composing announcements to users (members of constituency), if applicable,
- collecting and announcing statistics concerning incidents.
The incident resolution is performed in a very limited range (mainly due to limited resources), in fact limited to special cases with a potential significant impact on its constituency. The actual range of activities in such cases may cover removing vulnerability, restoring a system which had been compromised or providing direct technical support while collecting evidence if criminal prosecution, or other disciplinary actions, are contemplated.
